AC-3 Access Enforcement
Description
Access control policies (e.g., identity-based policies, role-based policies, control matrices, cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, domains) in information systems. In addition to enforcing authorized access at the information system level and recognizing that information systems can host many applications and services in support of organizational missions and business operations, access enforcement mechanisms can also be employed at the application and service level to provide increased information security.
Applicability
This Control applies to University information resources that store or process mission critical and/or confidential information.
The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.
The intended audience for this Control includes, but is not limited to, all information resource data/owners, management personnel, and system administrators.
Implementation
TAMU-CC shall enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
- Access to University information resources shall be appropriately managed.
- Each user of information resources shall be assigned a unique identifier except for situations where risk analysis demonstrates no need for individual accountability of users. User identification shall be authenticated before the information resources system may grant that user access. The Primary Custodian of an information resource shall authenticate a user's identity before granting that user access to the information resource.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019